Form search
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Contents
Form search
A form search is a saved search that has form fields that you must fill in before you run a search. Save any complicated search, and make it reusable as a form search (learn how to create form searches).
Form searches are saved searches that appear as forms when run. Save any search with form fields that a user running the search must fill out with parameters to run the search. You can create a sophisticated saved search and save it as a form with as many form fields as you like.
For example, you can define a search that returns all Web server errors for any username to be specified at search time:
503 OR 500 OR 404 sourcetype=access_common $user$
When run, this search appears as a form labeled user.
The search 503 OR 500 OR 404 sourcetype=access_common is still part of the search, but does not appear to the user.
Note: Form search works via text substitution, so the form fields can consist of anything, not just an indexed or an extracted field.
Run a form search
Form searches are saved searches. Run a form search by selecting it from the "Saved searches" menu in the search bar drop-down in Splunk Web.
If the saved search you select is a form search, then you'll be prompted with a form dialog like this:
Fill out the values in the form.
Note: You can substitute any text (not just a field) in a free-form text box in the form.
Refer to the Admin guide section on form searches to learn how to create form searches.